I'm setting up an AWS account with several users. Each of these users has policies attached that restrict their access to specific S3 buckets/objects and the EC2 instance types / Autoscaling Groups they can launch.
Users can launch multiple on-demand / spot instances at any given time. I want to make sure that the instances that a specific user launches have the same permissions or restrictions as the user that launched them. I'm sure I can find a way of setting up the corresponding user credentials on startup but I'd rather use roles for this.
I've been able to create a role and an instance profile to launch an EC2 instance and get S3 access with temporary credentials instead of setting up the user's access key ID and secret access key on that instance. However, is there any way of having the role mimic the user's permission so any instance launched by that user has their same restrictions? Right now a user could simply use this role to launch an EC2 instance and use that instance to access S3 buckets and objects he should not be able to access otherwise. Furthermore, some of the policies use the aws:username variable, which is not available when the principal is an assumed role.
One workaround seems to create user-specific roles with the same policies as the ones attached to the user, but this seems like a bad approach, specially if I have a big number of users that I constantly update permissions for. I'm also unsure if I'm able to restrict users from assuming roles different than their corresponding ones. Lastly, this still would not work for policies that use the aws:username.
What are my options here? What would be a good practice in this scenario?
